RE: [ISN] Should Microsoft be Liable for Bugs?

From: InfoSec News (isnat_private)
Date: Thu Sep 18 2003 - 22:26:37 PDT

  • Next message: InfoSec News: "[ISN] Solaris Flaw Leaves Machines Open to Attacks"

    Forwarded from: Jason Coombs <jasoncat_private>
    Cc: mbernardat_private
    > For example; The FDA and Health Canada "strongly-encourages"
    > Pharmaceuticals to validated the computers and systems that are use
    > to develop drugs.
    Quality Assurance in the computer business is much easier than in the
    pharma business.
    Scary thought, huh?
    Malicious software looks exactly like any other software: it's simply
    machine code instructions (or script instructions/byte code meant for
    an interpreter/virtual machine runtime).
    What do malicious amino acid and nucleic acid sequences look like? You
    guessed it, they look exactly like us.
    There's just no technical difference between a modern pharmaceutical
    and a human being. The way that QA works in the pharma business, we
    are all vulnerable to computer-based attacks that specifically target
    nucleic acid and amino acid synthesizers for the purpose of inserting
    malicious sequences (malicious genes, malicious aminos) that pharma
    companies have only one chance to detect in order to prevent serious
    harm: before they ship their product.
    A variety of lab tests are possible for optimal security in a pharma
    factory, including a simple weight measurement of the resulting
    biochemical compound -- the engineers know in advance what the precise
    weight will be of each sample of each correctly-constituted drug. But
    do they weigh each sample before shipping it out? Doubtful. They
    definitely cannot perform any destructive testing on each sample, so
    the security control boils down to one simple thing: preventing ALL
    executions of unauthorized code in the CPUs that control the
    synthesizers. Period. With a 100% success rate. No vulnerabilities.
    There is good reason to believe that in the present computing
    environment it is only a matter of time before a computer virus or
    other malware is designed to infect a particular brand of
    DNA/RNA/amino acid synthesizer control computer, instructing that
    computer to insert malicious sequences in the synthesized biological
    end product. Converting itself, if you'll forgive the whimsical musing
    of science fiction, from an infectious computer contaminant into a
    biological one.
    The frustrating thing is that we, as an industry, are still mired in
    the immature growth phase of argue, argue, argue, defend our own
    interests, defend, defend, defend, and this immaturity is driving us
    to seriously consider outlawing full disclosure... If we have any
    common sense left, we'll stop our self-interested bickering and
    tug-o-war struggles over control of little bits of software code
    "intellectual property" (are you listening, SCO ? MS ?) and acquire a
    little perspective. When the first person dies from a contaminated
    pharmaceutical, somebody better break the law (and violate their
    employment contract) and post the details of the exploit to
    full-disclosure or I'm going to hold them personally responsible when
    my family member becomes victim #2.
    Jason Coombs
    -----Original Message-----
    From: owner-isnat_private [mailto:owner-isnat_private]On Behalf
    Of InfoSec News
    Sent: Wednesday, September 17, 2003 7:32 PM
    To: isnat_private
    Subject: Re: [ISN] Should Microsoft be Liable for Bugs?
    Forwarded from: Mark Bernard <mbernardat_private>
    Dear Associates,
    This is a frustrating problem the recreates itself on a seemingly
    weekly basis.
    For years now the software industry has regulated itself doing a
    pretty decent job and then came along M$. Everything has changed and
    will continue to change, increasing the integration and inherent
    dependencies of business systems with business processes perhaps its
    time for our industry to evolve as well.
    For example; The FDA and Health Canada "strongly-encourages"
    Pharmaceuticals to validated the computers and systems that are use to
    develop drugs. The validation process although designed to 'control'
    the environment is very flexible allowing differences in
    configurations so long as they are recorded and validated. The
    validating process must include a formal change management
    process/document management. The practice in truly ISO or Deming's TQM
    and its sadly missing from software development in general.
    ISN is currently hosted by
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Fri Sep 19 2003 - 01:39:29 PDT